F040MEDIUMSuspiciousvalidator: passed
Adobe ARM helper staging with execution in temp (TA0002: Execution, TA0009: Collection)
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\AdobeARMHelper.exe
Analyst narrative
AdobeARMHelper.exe detected in AppCompatCache with executed flag, staged in temp directory path containing numeric ID (Adobe ARM Listener). Indicates potential exploitation or unauthorized tool deployment.
Claims asserted
pathC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp\AdobeARMHelper.exerun_appcompatcacheparser
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
run_appcompatcacheparser